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Nils  Klarlund1  and  Fred  B.  Schneider2 

October  30,  1990 

Abstract 

Using  the  notion  of  progress  measures,  we  give  a  complete  verification 
method  for  proving  that  a  program  satisfies  a  property  specified  by  an  au¬ 
tomaton  having  bounded  nondeterminism.  Such  automata  can  express  any 
safety  property.  Previous  methods,  which  can  be  derived  from  the  method 
presented  here,  either  rely  on  transforming  the  program  or  are  not  complete. 


1  Introduction 

Nondeterministic  automata  are  a  convenient  mathematical  abstraction  for  pro¬ 
grams  and  specifications  that  define  infinite  sequences  of  events  [Arn83.  Par81. 
Sis89b,  Var87].  A  program  is  modelled  as  an  automaton  Ap,  called  the  program 
automaton ,  which  accepts  a  language  L(AP)  of  infinite  behaviors  (words);  a  spec¬ 
ification  is  modelled  as  an  automaton  As,  called  a  specification  automaton ,  which 
accepts  the  language  L(As).  Ap  satisfies  As  if  every  behavior  of  Ap  is  allowed  by 
As;  that  is,  if  L(AP )  C  L(As). 

In  this  article  we  describe  a  new  method  for  verifying  that  L{AP)  C  L{As). 
Our  approach  is  based  on  the  notion  of  progress  measure ,  introduced  in  [Kla90j.  A 
progress  measure  p  for  establishing  L(AP)  C  L(As)  quantifies  how  a  behavior  of 
AP  converges  towards  a  behavior  that  would  be  accepted  by  As-  This  convergence 
is  characterized  by  using  a  progress  relation  >s  (which  depends  only  on  As)  and 
is  established  by  proving  the  verification  condition: 
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For  any  transition  in  Ap  from  state  p  to  p'  emitting  symbol  e,  p[p)  t> 
p(p')  holds. 

(In  addition,  some  technical  conditions  relating  the  initial  states  of  Ap  and  As 
must  hold.) 

A  verification  method  based  on  progress  measures  for  proving  L(Ap )  C  £(As) 
is  sound  if  the  existence  of  a  progress  measure  implies  that  L(Ap)  C  L(As )  holds. 
In  that  case,  whenever  po,  Pu . . .  is  a  run  over  a  behavior  eo,  et, . . .  in  £(Ap),3  the 
l>-related  sequence  p(po)  t>  p(pi)  t>  •  •  •  (whose  existence  is  guaranteed  by  the 
verification  condition  above)  gives  rise  to  a  run  of  As  over  e0,ei,...  A  method  is 
complete  if  such  a  p  is  guaranteed  to  exist  whenever  Ap  satisfies  As- 

In  this  paper  we  describe  some  progress  measures  and  corresponding  verification 
methods.  The  progress  measures  that  we  call  the  refinement  measure ,  the  prophecy 
measure ,  and  the  history  measure  form  the  basis  for  the  verification  methods  pre¬ 
sented  in  [Mer89,  Lam83,  LT87,  Par81,  Sis89a,  Sta88|.  A  new  progress  measure, 
called  the  ND  measure ,  yields  a  new  sound  and  complete  verification  method  for 
specifications  defined  by  safety  automata ,  infinite-state  automata  with  bounded 
non-determinism.  Such  automata  can  express  any  safety  property,4  but  cannot 
specify  liveness  properties  [AL88,  Kla90).  Thus,  this  paper  describes  the  use  of 
progress  measures  to  derive  a  new  verification  method  as  well  as  their  use  to  bet¬ 
ter  understand  the  power  and  limitations  of  existing  methods. 

The  remainder  of  the  paper  is  organized  as  follows.  In  Section  2  we  describe 
some  simple  progress  measures,  consider  how  they  might  be  used  in  a  verification 
method,  and  explain  why  the  resulting  methods  are  incomplete.  Section  3  discusses 
properties  of  refinement,  prophecy,  history,  and  ND  progress  measures.  Then 
Section  4  explains  how  to  reformulate  verification  methods  from  the  literature 
for  safety  properties  in  terms  of  these  progress  measures.  Section  5  relates  our 
approach  to  recursion  theory.  Section  6  contains  a  summary. 

2  Motivation 

In  this  section  we  consider  some  candidate  progress  measures  for  showing  that 
L(Ap)  C  L(As)  holds.  This  leads  to  a  proof  that  there  can  be  no  sound  and 

3  A  run  of  an  automaton  is  a  sequence  of  automaton  states  corresponding  to  a  behavior  ac¬ 
cepted  by  that  automaton. 

informally,  a  safety  property  is  one  stating  that  some  “bad  thing”  does  not  happen.  Formally, 
a  safety  property  is  a  closed  set  [AS85]. 


2 


complete  verification  method  based  on  a  progress  measure  that  maps  states  of  Ap 
either  to  states  of  As  or  to  sets  of  states  of  .45. 


2.1  Definitions 


Let  E  be  a  fixed  (at  most)  countable  alphabet  of  symbols  called  events  (repre¬ 
senting  actions,  communications,  or  observable  parts  of  states).  A  behavior  is  a 
sequence  (infinite  if  not  otherwise  stated)  eo,ei,. . .  of  events.  Let  V  be  a  set  of 
states.  A  transition  relation  on  V  is  a  relation  — >  C  V  x  E  x  V,  where  a  transition 


(v,e,i/)e  — >  is  denoted  v  —>  v'.  An  automaton  A  =  (E,  V,  — ►  ,  V°)  consists  of  an 


alphabet  E,  a  state  space  V,  a  transition  relation  — ►  on  V ,  and  a  set  of  initial  states 
V°  C  V.  A  run  of  A  over  a  behavior  eo,ei,. . .  is  an  infinite  —►-related  aequence 
of  states  u0  Ui  •  with  u0  G  VQ.  A  behavior  eo,  ei, . . .  is  accepted  by  A — or  is 
a  behavior  of  A — if  there  is  a  run  of  A  over  eo, ei,. . .  The  language  or  property 
L(A)  accepted  by  A  is  the  set  of  behaviors  of  .4. 

Automaton  A  is  complete  if  V  ^  0  and  every  state  v  £  V  appears  in  some  run. 
Note  that  a  complete  automaton  accepts  a  non-empty  language.  Moreover,  from 
every  automaton  A  =  (E,  V,  — V°)  such  that  L(A)  /  0,  it  is  possible  to  obtain  a 
complete  automaton  A'  such  that  L(A')  =  L{A)  by  deleting  from  V  those  states 
ihat  do  not  appear  in  any  run.  This  procedure,  however,  is  not  computable,  since 
it  requires  deciding  whether  there  is  an  infinite  path  from  a  node  in  a  graph — 
something  that  is  E} -complete  for  countable  recursive  graphs  [Rog67], 

Denote  by v  • - - — v'  that  there  exist  vo,...,vn  such  that  v  —  vq 


w 


■  ■  ■  un+l  =  v\  where  u  =  e0, . . . ,  en  is  a  finite  behavior.  Similarly,  v 
will  mean  that  there  exist  such  that  v  =  u0  t>i  ^  ■  •  •,  where  w  = 

eo,  Ci,.,.  is  an  infinite  behavior.  A  state  v  is  reachable  over  u  if  there  is  some 
v°  €  V°  such  that  v°  • - — — v  . 


In  what  follows,  we  consider  a  program  automaton  Ap  =  (E,  Vp,  —>p,  Vp)  and 
a  specification  automaton  As  =  (E,  V5,  — >5,  V05). 


2.2  Incompleteness  of  Refinement  Measures 


To  define  a  verification  method,  we  first  consider  the  use  of  a  progress  measure  p 
that  maps  each  state  of  Ap  to  a  single  state  of  As.  This  approach  is  plausible, 
for  whenever  there  is  a  run  of  Ap  over  some  behavior  eo,  ei, . . .,  there  must  be  a 
corresponding  behavior  of  As  over  eo,  ej, . . ..  More  precisely,  the  method  consists 
of  finding  p,  called  a  refinement  measure ,  that  satisfies  two  criteria: 


ml 


□ 
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Definition  1  A  refinement  measure  p  for  ( AP,As )  is  a  mapping  p  :  VP  — ♦  Vs 
such  that: 

(RE/ii)  pevfi  =►  m(p) € us° 

(REp2)  p-+Pp'  =»  p(p)  — »s  p(p') 

Verification  condition  (RE/il)  states  that  p  maps  any  initial  state  of  Ap  to  an 
initial  state  of  As,  and  (REp2)  states  that  for  every  transition  p  p'  of  Ap. 
there  is  a  transition  p(p)  -^+s  p(p')  o f  As-  It  is  not  hard  to  see  that  together 
these  verification  conditions  imply  that  any  behavior  of  Ap  is  a  behavior  of  As: 
let  eo,  ej, ...  be  a  behavior  of  AP;  then  there  is  a  run  po  ~^p  Pi  ~^p  •  •  •  of  AP,  and 
from  (REpl)  and  (REp2)  it  follows  that  p(po)  p(Pi)  -^s  •  •  ■  is  a  run  of  As- 
Unfortunately,  refinement  measures  do  not  yield  a  complete  method  for  non- 
deterministic  automata.  Even  for  finite-state  automata  AP  and  As  such  that  Ap 
satisfies  As,  a  refinement  measure  may  not  exist.  To  see  this,  assume  that  AP 
satisfies  As  and  that  this  can  be  proved  by  some  refinement  measure  p.  Consider 
the  situation: 


where  states  p  of  Ap  and  s',  3"  of  As  are  all  the  states  reachable  over  some  finite 
u.  Also  assume  that  there  exist  w'  and  w"  such  that  u  •  w'  and  u  •  w"  are  different 
behaviors.  Suppose  that  Po,  •  ■ .  ,p,p'0,Pi,  •  •  •  is  a  run  of  Ap  over  u  •  w'  and  that 
Po,  ■  •  • ,  p,  Po,  p", ...  is  a  run  over  u  •  w".  Thus  p{po), . . . ,  p(p),  p(Po),  p(p', ),  •  •  •  must 
be  a  run  of  As  over  u  •  w'  and  p(po), . . . ,  p(p),  p{p'o),  p(p"),  ■  •  •  must  be  a  run  of 
As  over  u  •  w",  because  AP  satisfies  As-  However,  this  is  impossible  because  for 
u  •  w',  it  must  be  the  case  that  p(p)  =  s',  and  for  u  •  w" ,  it  must  be  the  case  that 
p{p)  =  s". 

2.3  Incompleteness  of  Measures  Mapping  to  Sets  of  States 

To  avoid  the  incompleteness  inherent  in  refinement  measures,  we  might  consider  a 
progress  measure  that  maps  program  states  to  sets  of  specification  states.  For  the 
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situation  above,  we  would  define  p(p)  =  {s',  s"},  where  the  set  {s',s"}  is  called  a 
prophecy  set ,5  because  it  predicts  that  either  s'  or  s"  is  the  state  of  the  specification 
automaton  corresponding  to  p. 

Unfortunately,  even  a  method  based  on  mapping  program  states  to  sets  of 
specification  states  cannot  be  complete.  For  example,  if  we  employ  prophecy  sets, 
a  problem  arises  when  a  state  p  of  Ap  can  be  reached  by  different  behaviors,  each 
giving  rise  to  a  different  set.  Two  such  sets,  corresponding  to  finite  behaviors  u 
and  v ,  are  depicted  below: 


v 


It  turns  out  that  a  complete  method  must  distinguish  between  such  prophecy  sets. 

To  see  more  formally  that  no  method  based  on  progress  measures  that  map  to 
sets  of  specification  states  exists,  consider  an  automaton  As  given  by 

Q'*‘  Q‘“ 


where  both  states  1  and  2  are  initial  states.  The  behaviors  defined  by  ,4s  are 
the  sequences  that  consist  of  either  a’s  and  6’s  or  a’s  and  c’s  (i.e.  the  w-regular 
language  (a  +  6)"  U  (a  +  c)w).  We  first  show  that  there  can  be  no  progress  relation 
t>s  on  Vs  =  {1,2}  yielding  a  reasonable  verification  method.  Such  a  method 
would  satisfy  two  criteria: 

i.  If  Co  t>s  Ci  %,  Ci  t>s  •  •  •,  where  C0,  C\, . . .  are  sets  of  specification  states, 
5The  notions  of  prophecy  and  history  are  from  [AL88]. 
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then  there  are  so  £  Co,  si  ECi,. . .  such  that  .so  >*1  ~^s  •  •  ■  is  a  run  of  .4$. 

ii.  If  L{Ap)  C  L(As)  then  a  progress  measure  p  exists  such  that  a  state  s  need 
only  be  in  p(p)  if  there  is  a  u  such  that  both  p  and  s  are  reachable  over  u 
and  for  some  infinite  behavior  w,  u  ■  w  is  allowed  by  .45. 

Criterion  i  must  hold  for  the  method  to  be  sound;  note  that  there  need  not  be  any 
condition  on  Co  with  respect  to  initial  states,  because  both  states  of  -4s  are  initial. 
Criterion  ii  is  an  assumption  that  if  L(Ap)  C  L(As),  then  a  progress  measure  p 
exists  such  that  p(p)  only  contains  states  that  actually  occur  in  runs  of  .4s  when 
p  occurs  in  a  corresponding  run  of  Ap. 

Our  proof  that  there  is  no  complete  verification  method  based  on  a  progress 
relation  \>s  satisfying  the  criteria  involves  two  programs.  The  first  is  Api 


b 


c 


where  state  8  is  the  initial  state.  There  are  two  infinite  behaviors  of  Api,  namely 
b,  b,  b, . . .  and  c,  c,  c, . . .,  i.e.  Ap\  satisfies  As.  Thus  since  we  assume  that  the  hy¬ 
pothesized  method  is  complete,  there  must  exist  a  progress  measure  p.  By  Cri¬ 
terion  i,  p(8)  must  contain  state  1,  because  8  0  Pl  0  API  •••  is  a  run 

of  A  pi  and  the  only  corresponding  run  of  As  is  1  -4S  1  •  •  •.  Similarly,  p(8) 

must  contain  2,  p(0)  must  contain  1,  and  p(i)  must  contain  2.  By  Criterion 
ii,  p(0)  does  not  contain  2,  and  p(~t)  does  not  contain  1.  Thus  p{8)  =  {1,2}, 
p{0)  =  {1},  and  p('y)  =  {2}.  Since  <5  Pl  0  Pl  0  -^P1  is  a  run  of  Api. 

b  b  b  b 

p(8)  t >s  p{0)  t»s  p(0)  t >s  must  hold.  In  particular,  {1,2}  t>s  {1}  must  hold. 

By  an  analogous  argument,  {1,2}  t>s  {2}  must  hold. 

The  second  program  is  An 
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a 

6 

7 

whose  initial  states  are  0  and  7.  The  behaviors  of  this  program  are  b,  a,  a,  a. . . . 
and  c,a,a,a, . . .  Thus  Ap 2  satisfies  As.  By  arguments  similar  to  those  above, 
p(0)  =  {1},  7)  =  {2},  and  ^(6)  =  {1,2}  hold.  Thus  {1}  >s  {1,2}  and 

{2}  >s  {1,2}  must  hold. 

From  Ap\  and  Ap2,  we  conclude  that  there  is  a  sequence  {1,2}  t >s  {2}  t>5 
{1,2}  b>5  {1}  >s  {1,2}  t> s  ' '  '*  However,  this  contradicts  Criterion  i  because  As 
does  not  allow  the  behavior  c,  c,  b,  b,  c,  c,  b,  6,  •  •  •. 


3  Measures  for  Nondeterministic  Automata 

We  now  develop  verification  methods  for  establishing  L(Ap)  C  T(As)  by  means  of 
progress  measures.  In  particular,  we  introduce  the  ND  progress  measure  and  define 
the  simpler  refinement  measure ,  prophecy  measure ,  and  history  measure  along  the 
way.  We  also  give  necessary  conditions  for  these  measures  to  constitute  complete 
verification  methods. 

The  following  definitions  will  be  required.  For  an  automaton  A.  the  set  of 
states  reachable  over  eo, . . . ,  e„  is  denoted  0, . . . , e„).  Note  that  7^.4 ()  =  V*°. 
A  transition  relation  — »  has  bounded  nondeterminism  if  for  all  e  G  E  and  all  v  G  V'. 
the  set  {i/|i>  A  t/}  is  finite.  Automaton  A  =  (E,  V,  — ►,  V0)  is  a  safety  automa¬ 
ton  if  V°  is  finite  and  — *■  has  bounded  nondeterminism.  And,  if  V°  and  all  sets 
{v'  |u  v'}  have  at  most  one  element,  then  A  is  deterministic.  Observe  that  if 
A  is  deterministic,  then  for  all  e0, . . . ,  en,  the  set  ^(eo,  •  •  • ,  e„)  has  at  most  one 
element.  If  for  all  v  in  V  there  is  at  most  one  finite  behavior  eo,...,e„  such  that 
v  G  7ZA(e0, ,  e„),  then  A  is  historical ;  the  intuition  is  that  each  state  corresponds 
to  at  most  one  finite  behavior  or  history  leading  up  to  that  state. 

3.1  Refinement  Measure 

By  imposing  restrictions  on  Ap  and  As,  a  complete  verification  method  based  on 
refinement  measures  can  be  obtained: 
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Proposition  1  Let  Ap  historical  automaton  (assumed  complete  according  to  the 
discussion  in  Section  2.1)  and  let  As  be  a  deterministicautomaton.  Then.  L(Ap )  C 
L(As)  if  and  only  if  (Ap,  As)  has  a  refinement  measure. 

Proof  (Soundness)  Argument  was  given  in  Section  2.2. 

(Completeness)  Let  pG  Vp.  Note  that: 

•  By  the  assumption  that  Ap  is  complete,  there  is  a  finite  behavior  eo . en 

such  that  pG  TZAp{eo,  •  •  •  ,  e„),  and  by  assumption  that  Ap  is  historical,  this 
behavior  is  unique. 

•  Since  Ap  is  complete,  there  are  e„+1,  e„+2, . . .  such  that  e0,  ej,...  Gl(Ap). 
whence,  by  the  assumption  that  L(Ap)  C  L(As),  ^As{e o,  •  •  • ,  e„)  ^  0. 

•  Since  As  is  deterministic,  HAs(eOi  •  •  • ,  e„)  has  at  most  one  element. 

Thus  we  can  define  p(p)  =  s,  where  {s}  =  Ha^co,  ...,en)  and  e0, . . . ,  en  is  the 
unique  finite  behavior  such  that  pG  1ZAp(e0, . . . ,  en). 

Since  Ap  is  historical,  there  is  a  single  initial  state  p°,  and  by  the  definition  of 
p,  p(p°)  =  s°,  where  s°  is  the  single  initial  state  of  As;  thus  (REpl)  is  satisfied. 

To  see  that  (REp2)  holds,  let  p,  e,  and  p'  be  such  that  p  Ap  p' .  Then  p  is  reach¬ 
able  over  a  unique  finite  behavior  eoi  •  •  • ,  e„.  Thus  p'  is  reachable  over  the  finite  be¬ 
havior  e0, . . . ,  e„,  e.  It  follows  that  'JZAs(e0, . . . ,  e„)  =  {s}  and  /R.As(e0, - en,  e)  = 

{s'}  with  s  —*s  s'.  Thus  s  =  p(p)  As  p(p')  =  s'.  □ 


3.2  Prophecy  Relation  and  Measure 

By  imposing  restrictions  on  Ap  and  As,  a  complete  method  based  on  mapping 
program  states  to  prophecy  sets  can  be  obtained.  For  this  method,  if  p  is  a  program 
state  reachable  by  eo,  ...,en,  p(v)  is  a  set  of  specification  states  reachable  by 
eo, Hence  on  a  transition  p  — +p  p',  the  value  of  the  progress  measure 
p  should  change  so  that  every  s'  G  p(p')  is  reachable.  This  can  be  assured  by 
requiring  that  to  every  state  s'  in  p(p')  there  corresponds  a  state  s  in  p(p)  such 
that  s  —*  5  s'.  Thus  we  define: 
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Definition  2  The  prophecy  relation  t>R  of  a  transition  relation  — ♦  on  V'  is  the 
transition  relation  on  VV  given  as:6 

(>Pa)  5>pRS'  if  Vs'6S':3s€S:  s  ^  s' 

An  infinite  t>R-related  sequence  of  non-empty  finite  sets  gives  rise  to  an  infinite 
— ►-related  sequence  of  states: 

Lemma  1  (Prophecy  Relation  Lemma)  If  50  t>RSi  t>R  •  and  S,  ^  0  is  finite  for 
all  i,  then  there  exists  a  sequence  s0  ^  si  •  with  s,  6  5,  for  i  >  0. 

Proof  Construct  a  forest  as  follows.  Each  node  is  of  the  form  so  s„ 

such  that  s,  €  5,  for  i  <  n  and  s,  s.+i  for  i  <  n;  in  particular,  the  roots  are 
elements  of  So.  The  edges  are  of  the  form 

,  eo  ®n-i  eo  \ 

(So  — ►  •  *  ’  Sn  ,  So  ►  •  '  ‘  *  S n+ 1 ) • 

Since  S,  is  finite,  the  forest  is  a  finite  collection  of  finitely  branching  trees.  The 
forest  is  infinite,  because  for  all  n,  it  follows  from  S0  l>R  Si  t>R  •  •  •  and  S,  ^  0 
that  there  are  some  s0, . . . ,  sn  such  that  s0  ^  •  •  •  e^‘  sn  is  a  node.  Hence  by 
Konig’s  Lemma,  there  is  an  infinite  path  through  one  of  the  trees.  This  path  de¬ 
fines  s0  Si  ■  •  •.  □ 


A  prophecy  progress  measure  maps  each  program  state  to  a  finite  set  of  speci¬ 
fication  states: 

Definition  3  A  prophecy  measure  p  for  (A/>,  As)  is  a  mapping  p  :  Vp  — ►  T\rs 
such  that:7 

(PR/xl)  p€V«  =>  p{p)  C  V§ 

(PR/z2)  p-$Pp'  =►  p(p)  >PRp(p') 

(PRp3)  p(p)  *  0 

where  t>Ris  the  prophecy  relation  of  — ►  *. 

Prophecy  measures  give  a  sound  and  complete  verification  method  for  historical 
program  automata  and  safety  specification  automata: 

*VV  denotes  the  set  of  all  subsets  of  V 
7  TV  denotes  the  set  of  all  finite  subsets  of  V 


9 


Proposition  2  Let  Ap  be  a  historical  automaton  (assumed  complete)  and  let 
Ay  !  _  a  safety  automaton.  Then.  L(Ap)  C  L(As)  if  and  only  if  ( Ap.  As )  has  a 
prophecy  measure. 

“•£='’  Assume  that  (Ap,  As)  has  a  prophecy  measure  p.  Let  p0  p,  •  be  a 

run  of  Ap.  By  (PRp2),  p(po)  ! >Rp{p\)  ■  •,  and  by  (PRp3),  p(p,)  ±  0  for  i  >  0. 

We  can  use  the  Prophecy  Relation  Lemma  to  obtain  a  sequence  So  — ♦.?  Si  ^*s  •  •  • 
where  s0  G  p(po).  By  (PRpl),  SoGp(Po)  C  Vf,  whence  s0  st  •••  isa  run 
of  A$. 

Assume  L(Ap )  C  L{As).  Define  p(p)  =  7^4s(e0, . . . ,  en).  where  e0 . en 

is  the  unique  finite  behavior  such  that  p€  ^/tP(eoi  •  ■  •  •  en)\  by  the  assumption 

that  Ap  is  complete,  there  is  a  sequence  e0 . e„,  and  by  the  assumption  that 

Ap  is  historical,  this  sequence  is  unique.  By  the  assumption  that  As  is  a  safety 
automaton,  p{p)  is  finite. 

Since  Ap  is  complete,  there  are  en+1,  en+2, . . .  such  that  e0,  ej,...  6  L{Ap). 
Since  L(Ap)  C  L(As),  T^As{eo, . . . ,  e„)  ^  0-  Hence  for  all  p ,  p(p)  is  nonempty,  i.e. 
(PRp3)  holds. 

By  the  assumption  that  As  is  historical,  there  is  a  single  initial  state  p°.  and 
by  the  definition  of  p,  p{p°)  =  V^;  thus  (PRpl)  is  satisfied. 

Finally  to  prove  that  (PRp2)  holds,  let  p,  e,  and  p'  be  such  that  p  -4P  p'.  There 
is  a  unique  finite  word  e0,...,e„  such  that  p£  7£.4p(e0 . en).  Define 

S'  =  {s'  |  3s  G  p(p)  :  s  -+5 

It  can  be  seen  that  S'  =  TZas(co,  . . . ,  e„,  e)  =  p(p').  By  definition  of  the  prophecy 
relation,  p(p)  t^Rp(p'),  whence  (PRp2)  holds.  □ 

Note  that  the  proof  of  the  “=>n  direction  does  not  depend  on  any  assumptions 
about  Ap  or  As- 

It  follows  from  the  discussion  in  Section  2.2  that  the  method  of  prophecy  mea¬ 
sures  is  not  complete  if  the  restriction  that  Ap  be  historical  is  removed.  In  the 
next  section,  we  overcome  this  limitation  by  instead  imposing  a  further  restriction 
on  the  specification  automaton. 

3.3  History  Relation  and  Measure 

Assume  now  that  L(Ap)  C  L(As)  and  that  specification  automaton  As  is  de¬ 
terministic.  Consider  a  program  state  p.  It  can  be  reached  by  different  finite 
behaviors.  Let  the  progress  measure  p(p)  be  the  history  3et — the  set  of  specifica¬ 
tion  states  that  are  reached  by  these  finite  behaviors  (there  is  one  such  state  per 
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behavior  because  As  is  deterministic).  On  a  transition  p  p'  and  for  each  state 
s  E  p(p).  there  must  be  a  state  s'  E  p(p')  such  that  s  -^*s  s';  this  ensures  that  every 
partial  run  (history)  of  As  can  be  extended.  Thus  we  define: 

Definition  4  The  history  relation  t>1  of  a  transition  relation  — >  on  V  is  the  tran¬ 
sition  relation  on  VV  given  as: 

0>J  CktC'  if  Vs  6  C  :  3s'  E  C'  :  s  ^  s' 

The  history  relation  of  — +  has  the  following  property: 

Lemma  2  (History  Relation  Lemma)  If  C0  t>j  Cx  ■  •  ■.  then  for  all  s0  E  Co,  there 
exists  a  sequence  such  that  s0  Si  •  with  s<  E  C,  for  all  i. 

Proof  Let  s0  be  any  state  in  Co-  Then  by  definition  of  there  is  a  state  si  in 
C j  such  that  sQ  —*  Si.  By  iterating  this  argument,  we  obtain  so  — *  Si  •  such 
that  for  all  i,  Si  €  C,.  □ 


A  history  measure  maps  a  program  state  to  a  possibly  infinite  set  of  specification 
states: 

Definition  5  A  history  measure  p  for  (Ap,  As)  is  a  mapping  p  :  VP  — *■  VVs  such 
that 

(HIpl)  p€Vp  =>  3s  E  p(p)  :  s  €  Vg 
(HI/i2)  p-^Pp  =>  p(p)  t>mp{p') 

where  fc^  is  the  history  relation  of  — *s. 

History  measures  give  a  complete  verification  method  for  deterministic  specifi¬ 
cation  automata: 

Proposition  3  Let  Ap  be  an  automaton  (assumed  complete)  and  let  As  be  a  de¬ 
terministic  automaton.  Then,  L(AP)  C  L(As)  iff  (Ap,  As)  has  a  history  measure. 

Proof  “<=”  Let  po  ^p  pi  p  ■  •  •  be  a  run  of  AP.  By  (HIpl)  there  is  an  s0  G  p(po) 
such  that  So€  V5.  By  (HIp2),  p(po)  t>jP(pi)  •  ••  Thus  by  the  History  Relation 
Lemma,  there  is  a  run  so  -^s  -Si  •  •  ■  of  As- 

“=►”  Assume  L(AP)  C  L(AS).  Define  p(p)  =  Up€nAp(eo . e„)^s(« 0, •••,«„), 

where  the  union  is  over  all  finite  behaviors  e0, . . . ,  e„  such  that  p  E  7lAP(e 0, . . . ,  e„). 

To  prove  (HIpl),  let  pEVp.  Note  that  7Z as()  contains  the  initial  state  s°  of 
As  because  AP  is  complete.  Since  p€  7Zap(),  it  follows  that  7lA s()  Q  p(p);  thus 
3°€p(p°). 
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To  see  that  (HIp2)  holds,  let  p,  e,  p',  and  s  be  such  that  p  p'  and 

sGp(p).  Thus  there  is  a  behavior  eo,  ...,en  such  that  s  G  ^..(eo . en)  and 

pG^4P(e o . e„).  Since  As  is  deterministic,  1ZAs{u)  is  the  singleton  {.s}.  It 

follows  that  7ZAs(eo, . . . ,  e„,  e)  is  a  set  {s'}  such  that  s  -^+5  s'  and  that  s'Gp(p'). 
because  p'  G  7ZAp(eo, . . . ,  en,  e).  Thus  (HIp2)  holds.  □ 

According  to  the  results  of  Section  2.2,  history  measures  do  not  constitute  a  com¬ 
plete  verification  method  for  nondeterministic  As. 

3.4  ND  Relation  and  Measure 

We  have  discussed  progress  relations  that  give  complete  methods  for  two  special 
cases  above:  prophecy  relations  when  Ap  is  historical  and  history  relations  when 
As  is  deterministic.  Our  solution  to  the  general  case  consists  of  combining  these 
relations:  the  ND  progress  relation  is  the  history  relation  of  the  prophecy  relation. 

Definition  6  The  ND  relation  t>  on  VTV  of  a  transition  relation  — ♦  on  V  is 
defined  as: 

c£,dC  if  VS  €  C  :  3S'  £  C' : 

^  Vs'eS'  :3aSS:  s  A  s' 

An  immediate  consequence  of  the  two  preceding  lemmas  is: 

Lemma  3  (ND  Relation  Lemma)  If  Co  t>D  C\  •  •  •,  S0  G  C0,  and  0  $  C,  for  all 
i,  then  there  is  a  sequence  s0  Q  si  %  •  -  •  with  So  G  SQ. 

Proof  As  S0  G  C0  and  313  C0  Ci  •  •  •,  there  is  by  the  History  Relation  Lemma 
a  sequence  So  t>R  Si  t>R  ■  •  •  with  S,  G  Ci. 

Moreover  since  0  $  C,,  i.e.  Sj  ^  0,  and  since  Si  is  finite  for  all  i,  it  follows  by 
the  Prophecy  Relation  Lemma  that  there  is  a  sequence  s0  ^  si  ^  •  •  •  such  that 
So  €  So-  O 

An  ND  measure  p  associates  with  each  program  state  a  (history)  set  of  (prophecy) 
sets  of  specification  states: 

Definition  7  An  ND  measure  p  for  ( Ap ,  As)  is  a  mapping  p  :  Vp  — ►  VTVs  such 
that 

(NDpl)  pGV^  =►  3S  G  p{p)  :  S  C  Vs° 

(NDp2)  p  —+p  p'  =>  p(p)^,Dp(p') 

(NDp3)  0<Mp) 

Our  main  result  is: 
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Theorem  1  Let  Ap  be  an  automaton  (assumed  complete)  and  As  a  safety  au¬ 
tomaton.  Then,  L(Ap )  C  L(As)  if  and  only  if  ( Ap,As )  has  an  ND  measure. 

Proof  Let  po  ^*P  pi  ^ P  •  •  •  be  a  run  of  AP.  By  (NDp2),  p(p0)  t>Dju(pi)  t>.D 
•  •  •,  and  by  (NDpl),  there  is  a  set  S0  €  p(po)  such  that  50  C  V5.  Thus  by  (NDp3) 
and  the  XD  Relation  Lemma,  there  is  so  -^s  -si  •  •  •  such  that  s0  G  50  C  V§. 
Therefore  s0  ^*s  -*s  •  •  •  is  a  run  of  As. 

“=*►”  Assume  L(Ap)  C  L(As).  Define  p  such  that  S  €  p{p)  if  and  only  if  there  is 
a  finite  behavior  e0, . . . ,  e„  such  that  pG  0, . . . ,  e„)  and  S  =  ^s(eo, . . . ,  en). 

By  the  assumption  that  Ap  is  complete,  there  is  for  any  such  behavior  e0, . . . ,  en.  a 
sequence  en+i,  en+2,  •  •  •  such  that  e0,  Ci, . . .  G  L(Ap).  Thus  since  L(Ap)  C  L(As ), 
it  follows  that  HAs(e0, . . . ,  e„)  ^  0.  Hence  for  all  p,  p(p)  is  a  set  of  nonempty  sets, 
i.e.  (NDp3)  holds. 

To  prove  that  p  satisfies  (NDpl),  assume  that  pG  Vp.  By  the  definition  of  p, 
for  all  p°  G  Vp,  it  holds  that  V$  G  p(p°),  whence  (NDpl)  is  satisfied. 

To  prove  that  (NDp2)  holds,  let  p,  e,  and  p7  be  such  that  p  — +P  p'  and  let 
5  €  p{p)-  Thus  there  is  a  finite  behavior  e0,...,e„  such  that  pG  TZAp(e o,  •  • . ,  e„) 
and  S  =  ^s(e 0, . . . ,  en).  Define 

S'  =  {s'  |  3s  G  S  :  s  -4S  3'}. 

It  can  be  seen  that  S'  =  7^s(e0, . . . , e„, e) G  p(pO-  By  definition  of  the  prophecy 
relation,  5  fc>R5',  whence  (NDp2)  holds.  □ 


4  Derivation  of  Previous  Methods 

In  this  section  we  derive  from  our  ND  measures  Abadi  and  Lamport’s  method  [AL88] 
as  applied  to  safety  properties.  We  also  show  how  to  obtain  the  verification  method 
of  Merritt  [Mer89]  and  Sistla  [Sis89aj. 

Formulated  in  our  terminology,  the  goal  of  [AL88]  is  to  show  L(Ap)  C  L(As) 
by  means  of  a  refinement  measure.  This  is  done  by  adding  history  and  prophecy 
information  to  the  program  automaton  before  the  refinement  mapping  is  con¬ 
structed.  This  information  is  such  that  one  can  verify  locally  that  the  language 
L(Ap)  accepted  does  not  shrink  when  it  is  added.  The  main  result  of  [AL88] 
is  that  L{Ap)  C  L(As)  if  and  only  if  there  is  an  automaton  Ap» — obtained  by 
adding  first  history,  then  prophecy  information  to  Ap — and  there  is  a  refinement 
measure  of  ( Ap»,As )■  The  work  in  [Mer89,  Sis89a]  represents  what  can  be  re¬ 
garded  as  an  intermediate  approach  between  ours  and  that  of  [AL88].  Both  [Mer89] 
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and  [Sis89a]  rely  on  modifying  the  program  automaton  and  using  a  prophecy  mea¬ 
sure:  L(Ap )  C  L(As)  if  and  only  if  there  is  an  automaton  Ap' — obtained  by  adding 
history  information  to  Ap — and  there  is  a  prophecy  measure  of  (Ap<,  As). 


4.1  Adding  History  Information 

Using  ND  measures,  we  can  derive  the  method  of  [Mer89,  Sis89a]  as  follows. 

Definition  8  We  say  that  Ap>  =  (E,  Vp<,  — v,  Vp,)  is  obtained  from  Ap  by  adding 
history  information  if  Vp<  C  Vp  x  I — with  I  countable — and 

(HIl)  p€V°  =►  3  i:(p,i)eV° 

(HI2)  P-^pP  A  ( p,i)eVP -  =>  3 i':{p,i)  *  ( p',i ') 

Note  that  (HIl)  and  (HI2)  are  equivalent  to  saying  that  p  defined  by  p(p)  = 
{ (p,  i)€Vp>}  is  a  history  measure  for  ( Ap,Ap< ).  Also  observe  that  Ap,  is  not 
necessarily  a  complete  automaton  or  a  safety  automaton,  even  if  A p  is. 

Proposition  4  If  Ap<  is  obtained  from  Ap  by  adding  history  information,  then 
L(Ap)  C  L(Ap>). 

Proof  As  noted  above,  p  =  {(p,  i)  G  Vp<}  is  a  history  measure  for  ( Ap ,  Ap>).  Thus 
by  Proposition  3,  L(Ap)  C  L(Ap>)  holds.  □ 

The  method  of  [Mer89,  Sis89a]  now  follows  from  Theorem  1: 

Corollary  1  (of  Theorem  1)  Let  Ap  be  a  complete  automaton  and  let  As  be  a 
safety  automaton.  Then,  L(Ap )  C  L{As)  if  and  only  if  there  is  an  automaton 
Ap< — obtained  by  adding  history  information  to  Ap — and  there  is  a  prophecy 
measure  for  ( Ap> ,  As). 

Proof  “•<=”  By  Proposition  4,  L{Ap)  C  L(Ap>),  and  by  Proposition  2,  L(Ap>)  C 
L(AS). 

“=$►”  By  Theorem  1  there  is  an  ND  measure  Pnd  for  (Ap,  As).  Let  I  =  TVs, 
Vp,  =  {(p,  S)  |  S  €  Pnd(p)}>  V£  =  {(p,S)€V>,|peV°,5  C  Us0},  and  (p,S) 

(p',  S')  if  p  Ap  p'  and  S  fc>RS\ 

Ap>  is  obtained  from  Ap  by  adding  history  information.  In  fact,  (HIl)  is 
satisfied,  because  if  p€  Vp,  then  by  (NDpl)  there  is  a  S  €  Pnd(p)  such  that  5  C  Vs°, 
thus  (p,  S)  €  Vj&.  Similarly,  (HI2)  follows  from  (NDp2). 

To  finish  the  proof,  we  define  the  prophecy  measure  for  (Ap-,  As)  as  p(p,  S)  = 
S.  Then  (PRpl),  (PRp2),  and  (PRp3)  can  be  shown  to  hold.  □ 
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The  completeness  proofs  of  the  methods  in  [AL88,  Mer89,  Sis89a]  rely  on  chang¬ 
ing  Ap  to  an  infinite-state  automaton  by  adding  information  that  records  the  past 
history  of  states.  In  contrast,  the  analysis  above  shows  that  if  Ap  and  ,4s  are 
finite-state,  then  Ap>  can  be  chosen  to  be  finite-state;  for  in  the  proof  of  Corol¬ 
lary  1,  the  number  of  different  history  sets  is  finite  when  Vp  is  finite.  In  light 
of  this  observation,  the  concepts  of  history  measure  and  history  information  are 
a  bit  misleading.  Distinguishing  among  histories  of  the  program  automaton  is 
not  a  cardinal  point — what  matters  is  to  distinguish  among  prophecy  sets  of  the 
specification  automaton. 


4.2  Adding  Prophecy  Information 

To  obtain  the  verification  method  of  [AL88],  we  define: 

Definition  9  Ap<  =  (E,  Vp>,  Vp,,  — >^)  is  obtained  from  Ap  by  adding  prophecy 
information  if  Vp>  C  Vp  x  I — with  I  countable — and 

(PR1)  p€  Vp  A  (p,  i)  €  Vpi  =►  (p,  t)  €  Vp, 

(PR2)  P~+pP'  A  ( p ',  i')  €  Vp/  =*  3i  :  (p,  i)  (p',  i') 

(PR3)  0  /  {i  |  (p,  i)  €  Vp/}  is  finite 

Requiring  (PRl),  (PR2),  and  (PR3)  is  equivalent  to  stating  that  p  defined  as 
p(p)  =  {(Pi  0  €  Vp/}  is  a  prophecy  measure  of  (Ap,  Ap> ).  Also  observe  that  Ap<  is 
not  necessarily  a  safety  automaton  nor  is  it  necessarily  complete,  even  if  Ap  has 
these  properties. 

Proposition  5  If  Ap/  is  a  safety  automaton  obtained  from  Ap  by  adding  prophecy 
information,  then  L(Ap)  C  L(Ap>). 

Proof  Follows  from  Proposition  2  and  from  the  observation  above  that  p(p)  = 
{(p,  t)  €  Vp/}  is  a  prophecy  measure  of  (Ap,  Ap/).  □ 

A  version  of  Theorem  2  of  [AL88]  follows  from  Theorem  1: 

Corollary  2  (of  Theorem  1)  Let  Ap  be  an  automaton  (assumed  complete)  and 
let  As  be  a  safety  automaton.  Then  L(Ap)  C  L(As)  if  there  is  a  safety  automaton 
Ap» — obtained  by  adding  first  history,  then  prophecy  information  to  Ap — and 
there  is  a  refinement  measure  for  (Ap//,  A5). 

Proof  By  Proposition  4  and  Proposition  5,  L(Ap)  C  L(Ap»).  Moreover,  it 
is  easy  to  see  that  every  run  of  Ap»  induces  a  run  of  As;  thus  L(Ap)  C  L(Ap»)  C 
L(AS). 
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•i=>"  Assume  L{Ap)  C  L(As).  By  Theorem  1  there  is  an  N'D  measure  p  of 
( Ap,As )■  Let  Ap«  =  (E,  V/>»,  — >P»,  Vp„),  where  Vp„ ,  Vp„  C  V>  x  (V's  x  /lr5)  are 
given  by: 

Vp~  =  {(p. »,  -5)  I  «€  5  6  p(p)} 

»£  =  {(p,s,S)|s€S<=Mp)  a  P*vp  a  SC  V°) 

and  ( p ,  5,  5)  -^P»  (p',  5',  S')  if  p  -^P  p',  s  -^+s  and  5  t>  R  S'. 

Then  it  is  not  hard  to  see  that  Ap«  is  obtained  by  adding  prophecy  informa¬ 
tion  to  Ap<  from  the  proof  of  Corollary  1.  Also,  it  can  be  seen  that  pre  defined  by 
pre(p,  s,  S)  =  s  is  a  refinement  measure.  □ 


5  Discussion 

Our  verification  methods  hinge  on  two  restrictions:  that  the  specification  automa¬ 
ton  has  only  bounded  nondeterminism  and  that  the  program  automaton  is  com¬ 
plete.  The  restriction  to  bounded  nondeterminism  is  also  imposed  in  previous 
methods.  As  discussed  in  [Sis89b],  there  are  recursion- theoretic  arguments  show¬ 
ing  that  there  does  not  exist  any  reasonable  verification  method  for  automata 
having  unbounded  nondeterminism. 

The  restriction  to  complete  program  automata  is  also  rooted  in  the  laws  of 
recursion  theory.  Just  to  determine  if  an  effectively  presented  nondeterministic 
automaton  defines  the  empty  set  (i.e.  that  it  has  no  infinite  runs)  is  11} -complete, 
because  there  is  a  reduction  from  the  11} -complete  problem  of  determining  whether 
an  effectively  represented  tree  has  only  finite  paths.  On  the  other  hand,  all  the 
methods  described  here  involve  a  second  order  existential  quantification;  i.e.  each 
method  is  of  the  form:  L(Ap)  C  L(As)  if  and  only  if  there  is  a  relation  R  such 
that  some  first-order  conditions  hold.8  Thus  the  methods  are  essentially  E}  and 
therefore  cannot  possibly  be  used  for  the  general  problem  L(Ap)  C  L(As),  where 
Ap  is  nondeterministic  and  As  is  a  safety  automaton. 

One  can  lower  the  computational  complexity  by  reformulating  the  verification 
problem.  We  say  that  Ap  simulates  As  if  each  finite  and  infinite  behavior  of  Ap 
is  a  behavior  of  As .  Paradoxically,  the  problem  of  determining  whether  nondeter¬ 
ministic  Ap  simulates  safety  automaton  As — something  that  looks  stronger  than 

8An  ND  measure  p  can  be  defined  by  S  6  p(p)  if  and  only  if  R(p ,  #5),  where  #S  is  a  number 
encoding  the  finite  set  S. 
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L(A)  C  L(S) — is  computationally  much  easier.  In  fact  it  can  be  shown  that  this 
problem  is  Tlj-complete. 

Thus  in  order  to  avoid  dealing  with  the  rather  strange  concept  of  complete 
automata,  it  is  not  surprising  that  earlier  papers  [AL88,  Mer89,  Sis89a]  are  con¬ 
cerned  with  methods  for  showing  that  Ap  simulates  As.  Whether  one  considers 
only  infinite  behaviors  or  both  finite  and  infinite  behaviors,  there  is  no  substan¬ 
tial  difference  in  how  automata  are  related — except  for  the  treatment  of  reachable 
program  states  that  are  not  parts  of  any  run.  In  the  first  case  they  have  to  be 
excluded  from  consideration,  in  the  second  case  they  matter. 

All  our  results  are  applicable  for  showing  that  Ap  simulates  As;  the  only  change 
is  that  a  measure  becomes  a  partial  function,  because  there  may  be  unreachable 
states  of  Ap.  For  example,  Theorem  1  becomes: 

Theorem  1'  Let  Ap  be  a  nondeterministic  automaton  and  As  a  safety  automaton 
(with  Vg  ^  0).  Then  Ap  simulates  As  if  and  only  if  (Ap,  As)  has  a  partial  ND 
measure. 

In  the  statement  of  Theorem  1'  we  define 

Definition  T  A  partial  ND  measure  p  for  (Ap,  As)  is  a  partial  mapping  p  : 
Vp^VTVs  such  that  Vp  C  domp  and  for  all  p,p'  £  dom p: 

(ND/il)  =>  35 €  p(p)  •  S  CVg 

(ND/*2)  p-^Pp'  =>  p(p)  t>mn{p') 

(ND/i3)  0  p{p) 

Here  the  reachable  states  are  defined  by  domp,  which  can  be  identified  using 
traditional  assertional  techniques. 

The  approach  of  [AL88]  is  more  general  than  ours  in  two  respects.  First,  they 
show  how  safety  and  liveness  issues  can  be  separated  by  using  automata  that  are 
equipped  with  auxiliary  liveness  properties.  Second,  stuttering  automata  are  used. 
A  stuttering  automaton  is  one  in  which  repetition  of  events  is  considered  a  single 
event.  Stuttering  is  important  when  multiple  steps  of  the  program  automaton 
correspond  to  a  single  step  of  the  specification  automaton.  For  simplicity  we 
have  not  considered  this  issue  here.  In  [AL89],  translations  between  the  method 
of  [AL88]  and  our  method  (originally  described  in  [KS89])  were  first  outlined. 
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6  Summary 


We  have  described  a  verification  method  based  on  our  ND  progress  measure  for 
nondeterministic  automata.  Unlike  previous  complete  methods,  ours  is  direct  in 
the  sense  that  it  requires  modifying  neither  the  program  nor  the  specification. 
Progress  measures  also  have  allowed  us  to  classify  the  applicability  of  previous 
methods  that  do  not  depend  on  program  transformations.  According  to  whether 
Ap  is  historical  or  not,  or  whether  As  is  deterministic  or  safety,  the  progress 
measure  indicated  below  constitutes  a  sound  and  complete  verification  method  for 
showing  L(Ap)  C  L(As ): 


As 

Ap 

deterministic 

safety 

historical 

refinement 

prophecy 

nondeterministic 

history 

ND 

Unfortunately,  the  most  powerful  progress  measure,  the  ND  measure,  is  rather 
complex  since  it  maps  program  states  to  sets  of  sets  of  specification  states.  This 
complexity  is  inherent  in  the  verification  problem.  No  method  based  on  just  map¬ 
ping  program  states  to  sets  of  specification  states  can  be  both  sound  and  complete 
for  nondeterministic  automata. 
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